Atheon -Atheon is a community-driven pattern matching engine

Atheon, a community-driven pattern matching engine, launched as a CLI tool that scans any input for user-defined patterns, returning true or false for each rule. It can be used as a pre-commit hook, MCP server, or in CI pipelines to block sensitive data like leaked credentials or API keys before they leave the machine. The project aims to build a shared library of patterns contributed by the community.

One tool. All patterns. Any input. Atheon is a community-driven pattern matching engine. You define what you're looking for. You point it at anything. It finds every match and tells you exactly where returning a clear true or false for every rule, every time. Atheon is a CLI tool built around a single idea: any pattern, any domain, any input. It doesn't care whether you're scanning for leaked credentials, patient identifiers, financial account numbers, prohibited strings in compliance-scoped code, or anything else you can describe as a rule. If the pattern is clear if it can return true or false Atheon runs it. The engine itself is deliberately minimal. It has no opinions about what matters. That knowledge lives in the patterns, and the patterns come from the community. Three ways people use Atheon: Pre-commit / pre-push hook — blocks bad commits before they leave the machine. Exit code 1 on any finding, which is all a hook needs to abort. MCP server — atheon-mcp speaks the Model Context Protocol. Wire it into Claude, Cursor, or Windsurf and the AI can scan code mid-generation, before it ever reaches a file. CI pipeline — drop atheon --categories=secrets . into any pipeline. Native binary, no runtime, no dependencies, runs in milliseconds regardless of pattern count. Atheon isn't trying to be the next big secrets scanner. It's not competing to become a giant. It's trying to be a platform . Here's the idea: a developer on a team is working with sensitive data. They write a pattern for Atheon, contribute it, and it ships in the next release. Now everyone using Atheon has that pattern registered. The next team in a similar situation doesn't have to build it from scratch it's already there. That's Atheon: a community-driven engine where you, me, and anyone else can add patterns that every user benefits from. The goal is a library of rules that covers every domain where text contains something that matters built not by one company, but by everyone who uses it. Security. Compliance. Finance. Healthcare. Legal. Operations. Gaming. Anything. If you can describe the rule, Atheon can run it. Skip to 9:36 for the live demo, or watch the whole thing to see what Atheon is about. A developer wraps up a sprint and pushes a configuration file. Buried in a comment from a debugging session three weeks ago is a production API key. The commit goes through. The pipeline passes. Two months later, someone notices unusual billing activity. Atheon, wired into a pre-push hook: bash $ atheon ./ openai-api-key config/app.yaml:47 de 4f59 1 finding s scanned 23 file s 41.3 KB 4ms Exit code 1 . The push never happens. The key never leaves the machine. That's it. That's the product. Homebrew macOS / Linux : brew tap HoraDomu/atheon brew install atheon Scoop Windows : scoop bucket add atheon https://github.com/HoraDomu/scoop-atheon scoop install atheon Manual: Download the binary for your platform from Releases https://github.com/HoraDomu/Atheon/releases/latest . No install, no runtime, no dependencies. Drop it in your PATH and run it. Build from source: go build -o atheon . atheon <path scan a directory or file atheon --file <path scan a single file explicitly atheon --env scan all environment variables atheon --json <path output findings as JSON atheon --categories=<c1,c2 <path scan specific pattern categories only atheon --all <path include disabled patterns in scan atheon list list all patterns with enabled/disabled status atheon list --enabled list only enabled patterns atheon list --disabled list only disabled patterns atheon list --category=<cat list patterns for a specific category atheon list categories list available category names atheon enable <pattern enable a pattern by name atheon disable <pattern disable a pattern by name atheon update download the latest patterns bundle atheon --version show version atheon --help show help Pipe support — pass - or --stdin to read from stdin: cat file.txt | atheon - git diff | atheon - git diff | atheon --stdin Exit code 0 = clean. Exit code 1 = findings. CI-friendly by default. Category filtering Patterns are organized into categories. Run only what you need: atheon --categories=secrets . atheon --categories=secrets,pii . atheon list categories atheon list --category=secrets This keeps scans fast regardless of how many patterns are in the bundle. A pre-commit hook scanning only secrets costs nothing for PII patterns you don't need in that context. Cross-platform: native binaries for Windows, macOS Intel + Apple Silicon , and Linux. No runtime, no dependencies. Ignore rules Directory scans automatically respect .gitignore . Drop a .atheonignore in your project root to exclude anything not already covered — test fixtures, generated files, .env files: .atheonignore test/ .generated.go .env negation — ignore all of dist/ except this one file dist/ dist/keep.yaml character class negation — exclude files not ending in .go or .yaml a-z .txt Full gitignore syntax is supported including , negation rules, and ... character class negation. JSON output with flags --json must be the first flag. It can precede any scan command: atheon --json ./ atheon --json --file config.yaml atheon --json --env atheon --json --categories=secrets ./ To suppress a single line without ignoring the whole file, add atheon:ignore anywhere on that line: DEBUG KEY=sk-fake-key-for-testing atheon:ignore JSON output Use --json to integrate with other tools or build your own pipeline on top: atheon --json ./ Output is a JSON array, one object per finding: {"pattern":"openai-api-key","file":"config/app.yaml","line":47,"match":" debug key: sk-..."} Environment scanning --env scans every variable in the current environment useful in CI to catch patterns injected at runtime rather than stored in files: atheon --env Pre-commit / pre-push hook Drop Atheon into a git hook to block bad commits before they leave the machine: bash .git/hooks/pre-push /bin/sh atheon ./ Or with category filtering for speed: bash /bin/sh atheon --categories=secrets ./ Wire it into whatever hook runner you already use pre-commit, Husky, Lefthook . Atheon returns exit code 1 on any finding, which is all a hook needs to abort. MCP server Atheon ships a separate atheon-mcp binary that speaks the Model Context Protocol over stdio. Drop it into any MCP-compatible AI tool to let the assistant scan code, files, and directories for pattern matches. Download releases: - Linux: atheon-mcp-linux-amd64 or atheon-mcp-linux-arm64 - macOS: atheon-mcp-darwin-amd64 or atheon-mcp-darwin-arm64 - Windows: atheon-mcp-windows-amd64.exe Homebrew: brew tap HoraDomu/atheon brew install atheon Installs both atheon and atheon-mcp Scoop Windows : scoop bucket add atheon https://github.com/HoraDomu/scoop-atheon scoop install atheon Includes both atheon and atheon-mcp Build from source: go build -o atheon-mcp ./cmd/mcp Claude Code: { "mcpServers": { "atheon": { "command": "/path/to/atheon-mcp" } } } Cursor: { "mcpServers": { "atheon": { "command": "atheon-mcp", "args": } } } Windsurf: { "mcpServers": { "atheon": { "command": "/usr/local/bin/atheon-mcp" } } } scan string - Scan text content for patterns: { "name": "scan string", "arguments": { "content": "API KEY=sk-1234567890abcdef", "source": "environment", "categories": "secrets" } } scan file - Scan a single file: { "name": "scan file", "arguments": { "path": "/path/to/config.yaml", "categories": "secrets", "pii" } } scan dir - Scan entire directories: { "name": "scan dir", "arguments": { "path": "/path/to/project", "categories": "secrets", "pii", "code-quality" } } Claude Code Example: User: "Can you scan the current directory for security issues?" Assistant: Uses scan dir tool "I found 3 security issues in your codebase..." Cursor Example: User: "@Atheon scan this file" Assistant: Uses scan file tool "Found 2 patterns in config.yaml..." Available categories for filtering: secrets - API keys, tokens, credentials pii - Personal information SSN, credit cards, etc. code-quality - Debug statements, TODOs, technical debt healthcare - Medical identifiers, PHI patterns finance - IBAN, ABA routing numbers, SWIFT/BIC codes Omit the categories parameter to scan all categories. All patterns live in community/ as plain YAML files — no Go required. The engine ships with a compiled bundle embedded in the binary. Run atheon update to pull the latest bundle from the release. The update command reports exactly what changed — which patterns were added or removed. Adding a new pattern is one file: community/secrets/my-service.yaml name: my-service-api-key match: '\bmsvc A-Za-z0-9 {32}\b' enabled: false optional — omit to default to true Fields: name — unique lowercase-hyphenated identifier. Be specific: stripe-live-key , not stripe . match — a valid RE2 regex. Use single quotes so backslashes don't need escaping. enabled — optional. Defaults to true . Set to false to ship the pattern disabled-by-default useful for high-false-positive patterns users can opt into . The folder name is the category. No engine changes, no recompile, no release gate. Pattern state atheon enable and atheon disable write state to ~/.atheon/pattern state.json . The state survives binary updates and atheon update — your enabled/disabled preferences are reapplied on top of each new bundle automatically. atheon enable stripe-live-key atheon disable console-log atheon list --enabled atheon list --disabled Patterns are the heart of Atheon. Every pattern is one YAML file — small, fast to review, and immediately useful to every user once merged. See CONTRIBUTING.md /HoraDomu/Atheon/blob/main/CONTRIBUTING.md to add your own. See ROADMAP.md /HoraDomu/Atheon/blob/main/ROADMAP.md for what categories and domains need patterns most. New versions ship on the 10th and 21st of every month . Releases are fully automated tagging a version builds all platform binaries, generates the patterns bundle, and publishes everything to GitHub Releases, Homebrew, and Scoop automatically. Latest release: github.com/HoraDomu/Atheon/releases/latest https://github.com/HoraDomu/Atheon/releases/latest Atheon is built by the community. Every pattern contributed ships to every user in the next release. See everyone who has helped make it here: CONTRIBUTORS.md /HoraDomu/Atheon/blob/main/CONTRIBUTORS.md Questions, pattern requests, or anything else: Email: dommcpro@gmail.com mailto:dommcpro@gmail.com MIT with Additional Terms Copyright © 2026 Dominick Yanez You are free to fork, clone, study, modify for personal or internal use, and contribute patterns or bug fixes back. That's encouraged. What you may not do: - Ship this software, or any derivative of it, as your own standalone product under a different name or brand - Remove or obscure the author's name or copyright notice from any copy, fork, or derivative work For permissions beyond this scope: dommcpro@gmail.com mailto:dommcpro@gmail.com See the full LICENSE /HoraDomu/Atheon/blob/main/LICENSE file for complete terms.